Malware 101: What You Need to Know about Ransomware

Don't wait to figure out how to remove it - learn how to prevent attacks from targeting you instead.

16 August, 2016

What is Ransomware?

Ransomware is a form of malware, which is software used to get unrestricted access to a victim computer or device. Ransomware is a type of malware which is used by cyber criminals to hold their victims’ important data hostage in order to extort money. Typically, this is done by encrypting the victims' data so that they cannot access it again until they pay the cybercriminals for a decryption key. Over the past few years, there have been various strains of ransomware in use by cybercrime groups. They have varied in the details, but their overall approach has generally stayed consistent over time.

Ransomware has become more advanced over the years. The earlier implementations (e.g. Cryptolocker) were good but ransomware as a whole has increased its effectiveness and complexity over time. The most recent variants have the ability to encrypt more file types, utilize stronger and proper encryption implementations, delete system restore content, and have the ability to propagate via multiple channels (e.g USB Keys) within an environment.

How Do You Get Ransomware?

A drive-by download is the unintentional download of computer software from the internet. This includes activity where the user’s browser downloads and installs content without their knowledge or results in unintentional actions. With a drive-by download, the download and installation of the malicious software often happens invisibly in the background, so the user is not even aware of it. The following are some examples of drive-by download scenarios which result in the download of unintentional software:

A fake application representing itself as legitimate software, or a malicious application bundled along with legitimate software is downloaded and installed by the user from the Internet

A legitimate web site is injected with malicious content that uses a browser exploit to download and install malware on the user's computer

The user's computer is infected with malware delivered via a malicious advertisement that is displayed while visiting a legitimate web page

The user is tricked into visiting a link to a malicious web page that uses a browser exploit to download and install malware on the user's computer

Social engineering is the manipulation of people to perform actions or divulge confidential information. Ransomware is most commonly delivered via email attachments (Office documents, ZIP archives, etc.), often referred to as spear-phishing. The aim of the social engineering is to entice the victim to click on a link, open an attachment, or perform some other action that will result in the installation and execution of malicious software on their machine. Social engineering is the most widespread method used by cybercrime groups to deliver ransomware to a large number of victims.

Ransomware and Malware Defense in Depth.

As most security professionals understand, there is no specific technology that is the silver bullet to stopping all malware-related incidents. Each technology, platform, and implementation has its own weaknesses and strengths. For the purposes of this blog, there are three main layers that should have some protection mechanisms associated with them:

Network Layer

Host Layer

Human Layer

The Network Layer

The network security layer is an ideal option because it’s a pro-active solution that protects the whole network when deployed properly. It does not utilize any agents and usually intercepts or has visibility into the traffic. The weakness of the network layer protection is apparent when cryptography is used to encrypt identifiable information, limiting the layer’s capability to detect and interrupt based on the characteristics of an attack.

The Host Layer

Host-based protection is equally important but often requires an attack hitting the host or originating from the host itself. While it’s ideal to stop an attack from reaching the host altogether, in some cases this cannot be prevented. If it’s assumed the network layer will be bypassed, it’s ideal to layer the host level with additional protection.

The Human Layer

The human layer is the most susceptible layer to attack. But it’s not always the fault of the person who ends up compromised. When a user is browsing the web and hits a site that is legitimate but hosts bad ad content, resulting in a malicious redirection, this ends in compromise. In that case, the Network Layer / Host Layer should be responsible for interrupting and defending against attacks. Social engineering is the greatest threat to the human layer. When exploited, it results in the execution of malicious code.

Preventing Ransomware and Malware Attacks

Filter Content

One main method of preventing malicious content from being download or executed within a corporate environment is through content filtering.

Content filtering is defined as a program/appliance that is used to screen and exclude anything that is not deemed to fit a specific security policy. At the network level, this can be applied to specific traffic or a relay system such as a mail server. At the host level, there are many ways to apply specific controls that prevent the execution of undesired content.

Content filtering includes but is not limited to:

Email Filtering

Ad Blocking

Application Control

Executable Control

Execution Control

SSL Visibility

Block Suspicious Email Attachments

Email filtering can be done at a high level utilizing content inspection as it relates to attachments that are included within a message. The recommended action is to block anything that is not strictly required by the company. As threat actors generally need to deliver a malicious file to the end user, the easiest method is to attach it to a fake email. If that file does not meet a specific, and strict, policy it will be blocked before reaching the end user.

Recommended attachments that should be blocked include:

.js

.wsf

.zip

.docm

.vbs

.exe

.msi

.dll

.html

Ad Blocking and Network Firewalls

Ad blocking is one of the best ways to prevent malicious advertising that can lead to end user compromise. Implementing ad blocking at the network-level generally utilizes a proxy or next-gen firewall. Often, this can make webpages appear broken but that is due to the web browser expecting ad content which has been blocked. If you can forego aesthetically pleasing webpages, you gain the reassurance of not being redirected to bad content via rogue advertisements.

This can also be accomplished at the host-level by utilizing browser plugins. Browser plugins have the ability to block ad content on load. They also have the ability to give you control by dynamically blocking content with a simple right click.

User Access, Application and Executable Control

Application control from a network perspective is key to limiting applications that are called through the browser. Proxies are probably the best technology that provide ways to filter based on the application that is being requested. This effectively stops malicious code from targeting vulnerable applications that are run within browsers. eSentire recommends blocking all flash-related content as it is prone to exploitation.

Controlling applications that are called through the browser can also be implemented at the host level. All major browsers support a feature called ‘click to play’ which prevents applications from auto-executing. This stops random attacks from landing as it requires the user to click the application in order to run the content. As recommended above, flash content should be both disabled and blocked in exchange for HTML5.

Executable control at the network layer is key to limiting what is downloaded. In most cases, these types of features are available on inline devices and allow you to control what files can be downloaded onto the network. It is important to remember that these controls can be bypassed if someone has encrypted or encoded the specific content that they are attempting to download.

Execution control at the host layer is very important for stopping code that is not authorized to run in an environment. This relates directly to threat actors who bypass specific network controls and get some form of malicious code onto the victim's machine. Stopping the execution of this code will prevent an attack from getting unrestricted access to that host. Recommended actions include:

Disabling Powershell (Restrict to only IT personnel that have a business requirement)

Secure Socket Layer (SSL)

SSL visibility is required to protect against threats that communicate and originate over encrypted channels. It provides context and identifiable characteristics that are needed for most security technologies to be effective. However, like most security technologies, it can be bypassed by encrypting the communications / malicious content via another encryption standard other than SSL. It also carries some potential regulatory issues for industries that deal with personally identifiable information (PII).

Security Awareness Training and Security Policy Enforcement

When technology and security controls fail, all that is left is the human layer. The human layer is the hardest layer to secure because it’s challenging to teach people the dangers of hackers. Education and training are the only ways to ensure users do not click and execute malicious content. But with changing attack methods, this still remains difficult. It is recommended that organizations continuously educate and test employees to harden them against these types of attacks. Security awareness training and phishing campaigns are great to keep employees educated and up-to-date on the latest attack techniques.

Be Proactive - Prevent Ransomware From Threatening You or Your Organization.

In conclusion, content filtering and configuration hardening are important components in the prevention of malicious code execution. The best way to protect against ransomware is to be proactive in your defense strategy. Utilizing technologies and processes at the network and host layers provide a defense in depth strategy which will be more resilient to attack. Educating your users to prevent the initial chain of potentially malicious events is just as key as layered technology. As the security is ever changing eSentire will continue to publish related content via web series and security advisories.

eSentire Media Contacts

Kurtis Armour

Information Security Consultant

Kurtis is an Information Security Consultant at eSentire, where he focuses on securing client networks, vulnerability research and exploit development. In addition to ongoing research efforts, Kurtis regularly speaks at industry conferences.